Network Policies in Information Security

This group of policies applies to the network infrastructure to which computer systems are attached and over which data travels. Policies relating to network traffic between computers can be the most variable of all, because an organization’s network is the most unique component of its computing infrastructure, and because Software Development Companies use their networks in different ways. These example policies may or may not apply to your particular network, but they may provide inspiration for policy topics you can consider.

Extranet Connection Access Control: All extranet connections (connections to and from other organizations’ networks outside of the organization, either originating from the external organization’s remote network into the internal network, or originating from the internal network going out to the external organization’s remote network) must limit external access to only those services authorized for the remote organization. This access control must be enforced by IP address and TCP/UDP port filtering on the network equipment used to establish the connection.

System Communication Ports: Systems communicating with other systems on the local network must be restricted only to authorized communication ports. Communication ports for services not in use by operational software must be blocked by firewalls or router filters.

Inbound Internet Communication Ports: Systems communicating from the Internet to internal systems must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software.

Outbound Internet Communication Ports: Systems communicating with the Internet must be restricted to use only authorized communication ports. Firewall filters must block communication ports for services not in use by operational system software. The default must be to block all ports, and to make exceptions to allow specific ports required by system software.

Unauthorized Internet Access Blocking: All users must be automatically blocked from accessing Internet sites identified as inappropriate for the organization’s use. This access restriction must be enforced by automated software that is updated frequently.

Extranet Connection Network Segmentation: All extranet connections must be limited to separate network segments not directly connected to the corporate network.

Virtual Private Network: All remote access to the corporate network is to be provided by virtual private network (VPN). Dial-up access into the corporate network is not allowed.

Virtual Private Network Authentication: All virtual private network connections into the corporate network require token-based or biometric authentication.

Home System Connections: Employee and contractor home systems may connect to the corporate network via a virtual private network only if they have been installed with a corporate-approved, standard operating system configuration with appropriate security patches as well as corporate-approved personal firewall software or a network firewall device in Software Development Companies.